Fix memory leak

Fixed oss-fuzz #45535

Author: dstogov

ext/opcache/Optimizer/zend_inference.c

@@ -2748,6 +2748,20 @@ static zend_always_inline int _zend_update_type_info(
 					tmp &= ~MAY_BE_REF;
 					tmp |= MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_STRING|MAY_BE_RC1|MAY_BE_RCN;
 				}
+				if ((tmp & (MAY_BE_RC1|MAY_BE_RCN)) == MAY_BE_RCN) {
+					/* refcount may be indirectly decremented. Make an exception if the result is used in the next instruction */
+					if (!ssa_opcodes) {
+						if (ssa->vars[ssa_op->result_def].use_chain < 0
+						 || opline + 1 != op_array->opcodes + ssa->vars[ssa_op->result_def].use_chain) {
+							tmp |= MAY_BE_RC1;
+					    }
+					} else {
+						if (ssa->vars[ssa_op->result_def].use_chain < 0
+						 || opline + 1 != ssa_opcodes[ssa->vars[ssa_op->result_def].use_chain]) {
+							tmp |= MAY_BE_RC1;
+					    }
+					}
+				}
 				UPDATE_SSA_TYPE(tmp, ssa_op->result_def);
 				COPY_SSA_OBJ_TYPE(ssa_op->op2_use, ssa_op->result_def);
 			}

ext/opcache/tests/jit/assign_052.phpt

@@ -0,0 +1,20 @@
+--TEST--
+JIT ASSIGN: incorrect reference counting
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function foo(){
+    for($cnt = 0; $cnt < 6; $cnt++) {
+        $t[$i = $s][] = [] > $n[$i = $j] = $s = $a . $a = $f;
+    }
+}
+@foo();
+?>
+DONE
+--EXPECT--
+DONE